What is the magic of "public" for remote images

Here is something I don’t understand about the public flag of an image.
I added two remote servers, both are LXD servers, so this is using the lxd/tls protocol.

One server is in the same DNS domain, say srv1.mydomain.top. The other is in another DNS domain, say srv2.otherdomain.top.

Both servers are added with the --public flag so that no password is needed.

I can see all images on srv1, public or not public.
I can only see public images on srv2.

What’s the magic here?

Most likely your client is trusted by srv1, so even though you told LXD that it’s a public image server, the fact that the client connects with its certificate gets you all images as your client is trusted by the server.

How did I make my client to be trusted by srv1?
BTW the client is not listening to port 8443

With lxc config trust list I can show the trusted clients.
However, I’m sure I never instructed the server to trust the client. All I did was (on the client) to add the remote with the public flag. The server must have added the client automatically as “trusted”.

There is no code path for the server to automatically add a client as trusted.

The most likely reason why it is trusted is because you once did lxc remote add without --public and provided the trust password or use lxc config trust add to get a token to use with lxc remote add.

Yes, that is what I think has happened